In part one of this two-part series, we discussed why organizations should adopt a SIEM solution to ensure network security. In this second part, we’ll be demystifying the critical capabilities of SIEM tools and show you what to consider when picking a solution.

Budget plays a crucial role

When purchasing a SIEM solution, budget plays an important role. Some SIEM vendors license their solution based on the volume of log data that is being processed, meaning the product’s price tends to fluctuate. On the other hand, when licensing is based on the number of log sources being added for monitoring—with no limit on the volume of log data being processed—then your spending tends to remain constant. These source-dependent pricing models also help you accommodate your SIEM solution better during network expansions.

Apart from budget constraints, the SIEM solution you choose must provide certain capabilities.

The seven capabilities you must consider while choosing a SIEM solution

1. Scalability: Whatever the license model, the SIEM solution that you choose must be able to scale both horizontally and vertically. When your organization grows, your SIEM solution should grow too. Find out how many log sources a single instance of the solution can handle and check whether that falls within your network size. Also, make sure to check the SIEM solution’s peak event handling capacity, which should fall within your log generation limits.

Did you know that Log360, our comprehensive SIEM solution, can handle 25,000 logs/second? Check out what else this solution has to offer.

2. Log data compatibility: Your network probably has a wide range of devices, each with its own log type. You might have a mix of network perimeter devices—such as routers, switches, firewalls, and IDS/IPS—as well as applications, servers, workstations, and even entire cloud environments. The SIEM solution you choose should be able to assimilate log data from all these platforms, right out of the box. It should only take minimal effort to configure log collection and analysis from the devices in your network.

Just saying, Log360 can automatically parse and analyze log data from more than 750 log sources. Furthermore, the solution’s custom log parser can automatically create parser rules for any human-readable log format.

3. Intuitive and interactive visualization: Analytics is the key feature of every SIEM solution. SIEM solutions are designed to automate the log management process and specifically to extract meaningful information from these logs and present them as actionable insights. So, for basics, look for effective reporting capabilities that help meet your security, auditing, and compliance needs. It should also have an interactive dashboard that presents exactly what you need, including drill-down capabilities.

4. Effective forensic analysis: Security operations centers (SOCs) are responsible for carrying out rapid and accurate forensic analysis of every detected incident to learn from them, and ultimately prevent new threats and contain ongoing attacks. How quickly you contain an attack depends on how long it takes to discover it. Therefore, ensure that your SIEM solution possesses high-speed and efficient forensic analysis capabilities. Also, building search queries without having to use a query language is a must for any SIEM solution you choose.

5. Ready-made and tailor-made components: Although all SIEM solutions come with prebundled auditing reports, alert profiles, correlation rules, and compliance report templates, you might find these features difficult to use. There is always a need for customization to fine-tune threshold values of alert profiles, change report elements, and modify criteria for correlation rules so that they fit your network. Ensure that the SIEM solution you choose comes with both an exhaustive set of predefined components as well as the ability to customize them with minimal effort.

6. Security orchestration: Your SIEM tool should work in harmony with other IT management solutions in your network. Your network might contain solutions that ease your IT operations, such as a monitoring tool that watches the performance and health of devices and servers, or help desk solutions that assist in resolving IT-related queries. The SIEM solution that you choose should be able to effectively get input from and feed data to your other IT management solutions. For instance, your SIEM solution should be able to receive server downtime alerts from your monitoring solution and validate whether these alerts signal a DDoS attack. When your SIEM tool identifies an attack, it should be able to raise this incident as a ticket in your help desk and assign that ticket to a security administrator for effective incident resolution.

7. Predictive intelligence: Predictive intelligence makes SIEM solutions stand out from other network security solutions. The SIEM solution that you choose should be able to add business context to events occurring on your network, plot user and entity behavior trends, identify variations from typical trends, and provide real-time notifications about deviations. Your SIEM tool must come with rules and algorithms based on machine learning that can identify suspicious behavior in your network.

Gartner’s 2018 Magic Quadrant for SIEM outlines other capabilities a SIEM solution should have. Read the report to see why Log360 was featured.

The post Adopting a SIEM solution, Part 2: What should you consider when choosing a SIEM tool? appeared first on ManageEngine Blog.

 As a security professional, you might think that the GDPR is all about data subjects’ rights and getting proper consent, which means you have little to no role in ensuring compliance for this regulation in your company. This, however, is a widespread misconception—one that may end up costing millions in fines for the businesses who believe it. Here are two reasons you should be taking the GDPR seriously:

• Reason #1: The GDPR insists on deploying technical measures to ensure the integrity, confidentiality, and availability of personal data. This goal, of course, is simply added to the bucket of tasks data security and IT security professionals like you carry around daily. You should make sure that you have proper technical measures in place, because you’ll be accountable for both ensuring personal data is not modified in an unauthorized manner as well as ensuring that the systems and applications processing personal data aren’t compromised or inaccessible for extended periods.
• Reason #2: One of the most critical requirements of the GDPR is notifying the lead supervisory authority upon a data breach. When it comes to network security, the GDPR understands that attacks can’t always be blocked proactively. Taking this into account, the GDPR insists on using a proper breach detection and a reporting mechanism that’s capable of promptly detecting data breaches. To that same effect, within 72 hours of detecting a breach, you’re required to report it in detail (including consequences of the data breach, number of records affected, measures taken to mitigate and prevent such attacks in future, etc.) to the supervisory authority. But that’s not all; security professionals are also liable for implementing security measures that prevent known data breaches from happening, and meeting these requirements (Article 32) is surely the responsibility of a security administrator.

The deadline for the complete implementation of the GDPR is fast approaching, so you need to act quickly if you wish to meet these security requirements in time. That’s why we’ve drafted The Security Admin’s Survival Guide for the GDPR. This e-book is designed to show you:

• Five security measures that you must adopt to be GDPR compliant, including:
  • Discovering, isolating, and backing up data.
  • Setting up security configurations.
  • Configuring alerts to detect security incidents.
  • Setting up notifications to instantly detect breach attempts.
  • Generating post-breach incident reports.

• How ManageEngine can help you comply with the GDPR.

 Read The Security Admin’s Survival Guide for the GDPR.

The post Are you GDPR ready?  appeared first on ManageEngine Blog.

Security information and event management (SIEM) helps with managing and analyzing the vast amount of log information generated by networks. Of all the capabilities of SIEM, event correlation is the most powerful. This technique analyzes log data from your servers, applications, routers, firewalls, and other network devices, and identifies patterns of activity that indicate potential attacks. Event correlation lets you get the most out of the information you already have so you can streamline security incident detection. 

What types of attacks does event correlation detect?

Event correlation follows a bottom-up approach. When it detects an individual event that could be part of an attack, it looks for a related sequence of events until it can validate the existence of a potential attack pattern. With this approach, event correlation has the flexibility to look for a limitless number of patterns so you can keep up with constantly evolving attacks on your network. Below are a few classes of attacks which this technique helps you ward off:

• Advanced persistent threats: Discover attackers who attempt to move through your network undetected and conduct malicious activity in the background. Event correlation helps you discover these attempts by looking out for key indicators that suggest malicious background activity. For instance, you can identify the creation of backdoor accounts as well as the installation of suspicious software and services.
• Data breaches: Monitor your confidential data to ensure it remains protected from illegal accesses. Examples of this include anomalous file deletions or unauthorized SQL backups.
• Malicious insiders: Keep an eye on your employees by looking out for malicious insider activity. Brute-force entry to critical organization servers or workstations as well as unwarranted use of network resources fall under this category.
• Lateral movement: Detect lateral movement through your network and contain damage before it spreads. This could include a worm being installed on several network devices or multiple file modifications across the network, which could indicate possible ransomware activity.

How do organizations benefit?

• Integrated perspective on security: With event correlation, security is enforced on the network as a whole rather than separately for different devices.
• Quicker, more accurate incident detection: Event correlation identifies events within moments, as soon as the logs are collected and processed. It also provides context to individual events by looking for a trail of related events. This makes detecting incidents more accurate and reduces false positives.
• Continuous improvement of security policies: Detected incidents reveal weak areas in your network, which helps security administrators prioritize and strengthen security in the areas that need it most.
• Efficient forensic investigations: By providing the full picture of how an attacker was able to breach a network, event correlation lays a strong foundation for further forensic investigations.
• Easy IT compliance: Adhering to compliance policies is easier when you can show that there are strong systems in place to detect incidents and discover exactly how they came about.

To gain a better understanding of event correlation, you can sign up for a personal demo of ManageEngine Log360’s event correlation module. You can gain an in-depth look at this technique and understand how your organization can use it to detect attacks at the earliest.

The post Connecting the logs with event correlation appeared first on ManageEngine Blog.

But, like all great things, log management is not easily achieved. Thankfully, there are solutions like EventLog Analyzer that make the job easy for you by centrally managing millions of logs from your network. But what exactly does log management involve? It’s a pretty vast subject that covers several processes, including:

• Log collection: Connecting to hundreds of heterogeneous devices on your network and collecting their logs in a central location.
• Log normalization: Converting logs from multiple formats to a standard format, which makes analysis easier.
• Log analysis: Extracting useful information from logs and generating reports and alerts, or facilitating in-depth log searches.
• Log archival: Storing logs until they are no longer required.
• Compliance: Ensuring compliance with the policies set forth by regulatory bodies.

At face value, these processes may sound simple. However, if you dig a little deeper into any one of them, you’ll find yourself hitting multiple roadblocks. How do you conduct effective forensic investigations with your log information? Can you use your logs to predict events that haven’t happened yet? Are your logs secure at all stages of the log management process?

Post your log management queries on the ManageEngine community

If you’ve ever asked yourself any of these questions, we invite you to come discuss them with us. On March 14th and 15th, our product experts will answer any questions you may have about EventLog Analyzer, or even about the SIEM industry in general. Head on over to our forum and post your thoughts, questions, and ideas. We look forward to reading your posts and diving into conversation with you all!

The post Talk to our experts about the essentials of log management appeared first on ManageEngine Blog.

In terms of collaboration, Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) represent a revolution in the security industry. These protocols transformed the field of threat intelligence from a fragmented collection of information to a unified standard for information sharing. In this blog, I will examine this transition and how it came about.

Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” In short, threat intelligence combines all known information about previously encountered threats to aid organizations in identifying and responding to similar threats in the future.

The old days of threat intelligence

Like any game of cat and mouse, the security industry has been chasing after cyber threats for as long as many IT professionals can remember. The more sophisticated and organized cyber attacks became, the harder security vendors worked to create comprehensive solutions. These security solutions eventually met all areas of attack detection and mitigation, and could produce every component of threat intelligence. Unfortunately, these components were highly disjointed due to multiple formats and sharing protocols.

Think about this in terms of a ransomware attack. Organizations rarely use just one security solution to deal with ransomware. Many need separate tools to identify ransomware activity in the first place, record information about malicious files, and actually respond to the threat. Now, imagine if all these tools couldn’t share threat information with each other.

Well, that was a big problem in the past; each tool used its own formats, and admins needed custom communication protocols to share information between security solutions. As you can imagine, consolidating threat information from all these sources took a lot of time. And with modern cyber attacks demanding immediate attention, less than real-time threat intelligence just wasn’t going to cut it anymore.
The STIX and TAXII revolution

In response to these problems, MITRE Corporation and the Department of Homeland Security together developed STIX and TAXII, community-driven protocols for information sharing that include details on what’s going on in the cybersecurity landscape, and how organizations can protect their network and analyze threats. Developing a common language across product and organizational boundaries opened the door for multiple sources to collaboratively update information about a single threat, giving organizations more complete threat intelligence. Together, STIX and TAXII have made sharing threat data more convenient and instantaneous, ensuring enterprises can quickly and effectively detect and respond to incidents.

Threat feeds based on STIX and TAXII provide up-to-date, reliable threat information, which is why many vendors have incorporated these protocols into their security solutions. In fact, our own log management solution, EventLog Analyzer, comes with a built-in STIX/TAXII threat feed processor, using the latest threat intelligence to monitor network logs for threats. You can learn more about it with this free solution brief.

The post Let’s talk about STIX, TAXII, and threat intelligence appeared first on ManageEngine Blog.

Before we jump into the third part of this GDPR blog series, let’s take a moment to think about a few questions. Such as, why are compliance mandates necessary? Are they framed to just prevent data breaches? Are compliance mandates established to just detect and report security attacks? I would say no! 

The primary objective of compliance mandates is to help enterprises prove that all is well within their network. Yes! You read it right. IT regulatory mandates are the checklists that help organizations show auditors that security measures are intact and that their network is safe and sound. 

With that said, let‘s now focus on the GDPR’s requirements, specifically establishing technical and organizational measures to streamline organizations’ auditing processes. 

The appropriate technical and organizational measures to tackle Article 32

The GDPR outlines requirements to ensure personal data safety. Whether it‘s getting consent from data subjects, storing personal data, appointing a data protection officer if needed, or notifying concerned officials in the event of a data breach, the GDPR covers most security aspects enterprises have to look into. 

But the GDPR isn’t as clear when defining the technical and organizational measures that a company should adopt. Here are two possible reasons the GDPR is less clear in this aspect:

• Reason #1: There are plenty of applications and platforms that help store personal data. Defining how to adopt policies for each platform or application would make the GDPR adoption process overly complicated. Therefore, the GDPR only outlines the general auditing and security policies that enterprises need to adopt.
• Reason #2: Security threats and data breaches are dynamic. There aren’t any hard and fast rules that define attack prevention. With that said, the best thing for enterprises to do is to adopt regular reviewing and auditing practices for monitoring each of their platforms that handle personal data. Restricting the adoption of best practices to specific applications or platforms would leave a big security loophole.

 Not sure whether you need to comply with the GDPR? Take our three minute quiz!

What does “appropriate technical and organizational measures“ actually mean?

You could store personal data in a database, such as MS SQL or Oracle Database, a file server, or even in a cloud environment. No matter where you store the data, make sure that the following measures are taken to ensure data safety. 

• Control who gets to access personal data: Devise proper access controls and restrict personal data access. Grant personal data handling access only to privileged users. 
• Audit user behavior: Keep track of when users:
  • Access your organization’s personal data storage platform (whether that’s a server, database, or cloud application).
  • Alter personal data (E.g. modify, delete, or rename files).
  • Perform access modifications, permission changes, and privilege escalations with respect to personal data access.
• Get real-time insights: Ensure that you’ve established a system that notifies you in real time about any abnormal or suspicious activities such as personal data deletion. 
• Always have a plan B: No matter what, be sure to retain data backups. That way, you can restore personal data in the event of data loss. Note that you need to get proper consent from data subjects before backing up their personal data. You must also ensure that your back ups are protected from tampering.

 You must be wondering where you can find a solution that will help you establish these measures. Check out what we have for you, right here!

Stay tuned for the fourth and final installment of this blog series on the GDPR. We will be discussing the most debated requirement, notification of personal data breaches.

The post Getting to know the GDPR: The technical and organizational measures appeared first on ManageEngine Blog.

In our release last month, we built on this idea by extending the feature to Syslog devices as well. Yes, that’s right! Now you can automatically discover any Syslog device based on its IP address/CIDR range. Simply specify the device’s range and SNMP credential and EventLog Analyzer will automatically scan your network for Syslog devices and display them along with the device type and vendor, as shown in the screenshot below.  

So, all you need to do is check the required device’s checkbox and click Add Device(s). Neat, right? And if the device you have added is a Linux/Unix machine, you can also automatically enable log forwarding from the EventLog Analyzer console itself, rather than having to go and configure the rsyslog.conf file in the Linux/Unix machine.

Collecting device logs is the first and most fundamental part of an SIEM solution, and we’ve made that as easy and efficient as possible to ease your log management and auditing woes.

So check out the latest EventLog Analyzer features and upgrade to our latest build.  

Oh, and by the way, be sure to register for my webinar on Log management best practices for SIEM scheduled for March 22nd at 2pm GMT.

The post Could adding devices for log collection be any easier? appeared first on ManageEngine Blog.

EventLog Analyzer is comprehensive log management software for SIEM that can help you achieve network security. On top of that, it’s easy to deploy and easy to use. Here are a few ways EventLog Analyzer enhances SIEM usability.

1. Group frequently used reports under “Favorite reports”

You may use certain reports more frequently, or may want to monitor certain types of events across all of your devices. EventLog Analyzer allows you to group various reports under “Favorites” to easily track events of interest. For instance, you can create your own report group called “Alert Favorites,” containing reports such as “Critical events based on host,” “Threat detections by McAfee,” “Printer document theft,” and more, so you can quickly access what you need.

2. Easy log searches

A personal favorite of mine, EventLog Analyzer provides intuitive search functionalities that enable you to easily construct complex search queries to efficiently troubleshoot and backtrack security attacks. The click based search is supplemented with the group, range, and wildcard search functionalities to give you full control over your log data.

3. Save a search query as an alert profile

Export the results of a search query as a report for later reference. In addition, you can save the search query itself as an alert so that when the search criteria are met, i.e. the same sequence of events in the query occurs, you will receive an alert via SMS or email. The alert criteria field is automatically populated from the search query, allowing you to set up the alert in a few clicks. So, the next time you face the same attack pattern, you won’t need to frantically search through your logs again. Instead, the alerts you previously set will be triggered, allowing you to proactively mitigate security threats.

It’s the little things that go a long way in terms of usability. EventLog Analyzer  empowers you to efficiently and easily manage your machine logs for ultimate security.  Learn more about EventLog Analyzer here.

The post Three ways EventLog Analyzer enhances SIEM usability appeared first on ManageEngine Blog.

To search for specific logs, you could type a search query such as:
USERNAME = “John” AND EVENTID = “4672” AND SEVERITY = “success”

However, typing out queries like this every time you have to search for something is neither an effective nor efficient way to go about searching logs. Search queries become more complex as additional search criteria are added. Moreover, you must be able to view all the data pertaining to a particular field in a single window to track events effectively. Say, for instance, you need to look at all hosts accessed by a particular user at a single glance.

EventLog Analyzer has a smarter search option, which allows you to intuitively create a complex search query in a jiffy.

Intuitive search mechanism of EventLog Analyzer

The first way to narrow down your search criteria is by choosing the log type, as shown in Figure 1.

Figure 1. Selecting the log type.

This will list all the Windows Event Log data for the specified time interval, as you can see in Figure 2.

Figure 2. Viewing the Windows Event Log data.

If you want to track the special logons made by a particular user on a particular machine, first, click on the Username field, which will display all the active users in ascending or descending order. You can select the user of interest here (see Figure 3). 

Figure 3. Selecting the user you want to track.

By clicking on the Type field in the log message, you can track all the different types of logs generated by this user such as security, application, PowerShell logs, and so on, as shown in Figure 4.

Figure 4. Selecting the type of logs you want to track.

Next, select the host on which you want to monitor the user’s activity by clicking on the Host field in the log message (see Figure 5).

Figure 5. Selecting the host you want to monitor.

And finally, you can select the event ID by clicking on the Event ID field in the log message, as shown in Figure 6. This will list the events performed by the selected user on the selected host.

Figure 6. Selecting the Event ID.

In this way, complex search queries can be performed conveniently in just a few simple steps! You can also easily save the results of your search as a report, or save the search query as an alert.                                                                                                    

Learn more about EventLog Analyzer’s search capabilities here.

The post How EventLog Analyzer simplifies log searches appeared first on ManageEngine Blog.